The unknown risk for D&Os - when cyber risks lead to personal liability
The true cost of email fraud….for Toyota it’s £30million!
In a few clicks of a mouse on the 14th August 2019 Toyota Boshuku Corporation lost £30 million. You read it right, £30,000,000.
Their press release calls it fraud, which it was, and it’s not clear whether the fraud involved a fake supplier payment instruction or an inter- company transfer. What is obvious is that the fraud was made easier to commit because they seem to have failed to put in place even the most basic technical email security measures.
… and this has cost them £30 million.
They have “promptly established a team comprising legal professionals (sic)”, that’s a thing BUT a month later - we checked - and they still have no basic email security in place. That’s just ridiculous. Toyota Boshuku are a member of the Toyota Group of companies. So, what about some of the other companies in the group? (I took a random selection from a long list):
Toyota Industries (https://www.toyota-industries.com/) - no email security in place.
Toyota Motor (https://global.toyota/en/) - no email security in place.
Toyota Financial Services (https://www.toyotafinancial.com/us/en.html) - some email security in place. It won’t stop attacks, just log that they have happened.
Toyota Tsusho (https://www.toyota-tsusho.com/english/) - some email security in place. It won’t stop them being impersonated (spoofed) externally and they won’t know it has happened.
Toyo Fuji (http://www.toyofuji.co.jp/english/index.html) - some email security in place. It won’t stop attacks, just log that they have happened.
I don’t have a thing against Toyota Group, they make great cars, but I do have a thing with whoever is advising each of these companies on cyber security. Let’s be absolutely clear, the fraud at Toyota Boshuku could have probably been prevented and certainly made more difficult to effect if standard, free (yes FREE) email security measures had been put in place within the different Toyota Boshuku Group operations and enforced in key suppliers. At some point someone surely has to ask, "How much do we spend on cyber security and how come no one spotted we were wide open to having £30 million stolen in one or two clicks?”
And the solution?
For less than the cost of a couple of days of a security consultant’s time KYND ON will tell you what’s missing in your organisations email security and how to fix it. Find out more here.
Adding C to ESG: why cyber risk management is a critical ESG factor in your investment decision-making
PRESS RELEASE: KYND recognised as a global Top 100 InsurTech innovator for second year in a row